mirror of
https://github.com/overleaf/overleaf.git
synced 2024-12-22 21:33:44 +00:00
Merge pull request #11858 from overleaf/jpa-access-token-encryptor-cleanup
[access-token-encryptor] drop support for encryption scheme v2 GitOrigin-RevId: b720997e01239a7b6443138c68485d5ab0c813ed
This commit is contained in:
parent
1e350f6a85
commit
b30d838c49
2 changed files with 10 additions and 65 deletions
|
@ -4,7 +4,6 @@ const crypto = require('crypto')
|
|||
const ALGORITHM = 'aes-256-ctr'
|
||||
|
||||
const cryptoHkdf = promisify(crypto.hkdf)
|
||||
const cryptoPbkdf2 = promisify(crypto.pbkdf2)
|
||||
const cryptoRandomBytes = promisify(crypto.randomBytes)
|
||||
|
||||
class AbstractAccessTokenScheme {
|
||||
|
@ -78,12 +77,6 @@ class AccessTokenSchemeWithGenericKeyFn extends AbstractAccessTokenScheme {
|
|||
}
|
||||
}
|
||||
|
||||
class AccessTokenSchemeV2 extends AccessTokenSchemeWithGenericKeyFn {
|
||||
async keyFn(salt) {
|
||||
return cryptoPbkdf2(this.cipherPassword, salt, 10000, 32, 'sha1')
|
||||
}
|
||||
}
|
||||
|
||||
class AccessTokenSchemeV3 extends AccessTokenSchemeWithGenericKeyFn {
|
||||
async keyFn(salt) {
|
||||
const optionalInfo = ''
|
||||
|
@ -103,7 +96,7 @@ class AccessTokenEncryptor {
|
|||
`cipherLabel must not contain a colon (:), got ${cipherLabel}`
|
||||
)
|
||||
}
|
||||
const [cipherLabelNoVersion, version] = cipherLabel.split('-')
|
||||
const [, version] = cipherLabel.split('-')
|
||||
if (!version) {
|
||||
throw new Error(
|
||||
`cipherLabel must contain version suffix (e.g. 2042.1-v42), got ${cipherLabel}`
|
||||
|
@ -118,27 +111,15 @@ class AccessTokenEncryptor {
|
|||
throw new Error(`cipherPasswords['${cipherLabel}'] is too short`)
|
||||
}
|
||||
|
||||
let scheme, schemeNoVersion
|
||||
let scheme
|
||||
switch (version) {
|
||||
case 'v2':
|
||||
scheme = new AccessTokenSchemeV2(cipherLabel, cipherPassword)
|
||||
schemeNoVersion = new AccessTokenSchemeV2(
|
||||
cipherLabelNoVersion,
|
||||
cipherPassword
|
||||
)
|
||||
break
|
||||
case 'v3':
|
||||
scheme = new AccessTokenSchemeV3(cipherLabel, cipherPassword)
|
||||
schemeNoVersion = new AccessTokenSchemeV3(
|
||||
cipherLabelNoVersion,
|
||||
cipherPassword
|
||||
)
|
||||
break
|
||||
default:
|
||||
throw new Error(`unknown version '${version}' for ${cipherLabel}`)
|
||||
}
|
||||
this.schemeByCipherLabel.set(cipherLabel, scheme)
|
||||
this.schemeByCipherLabel.set(cipherLabelNoVersion, schemeNoVersion)
|
||||
}
|
||||
|
||||
this.defaultScheme = this.schemeByCipherLabel.get(settings.cipherLabel)
|
||||
|
|
|
@ -13,17 +13,14 @@ describe('AccessTokenEncryptor', function () {
|
|||
'2016.1:76a7d64a444ccee1a515b49c44844a69:m5YSkexUsLjcF4gLncm72+k='
|
||||
this.encrypted2019 =
|
||||
'2019.1:627143b2ab185a020c8720253a4c984e:7gnY6Ez3/Y3UWgLHLfBtJsE=:bf75cecb6aeea55b3c060e1122d2a82d'
|
||||
this.encrypted2019v2 =
|
||||
'2019.1-v2:627143b2ab185a020c8720253a4c984e:7gnY6Ez3/Y3UWgLHLfBtJsE=:bf75cecb6aeea55b3c060e1122d2a82d'
|
||||
this.encrypted2023 =
|
||||
'2023.1-v3:a6dd3781dd6ce93a4134874b505a209c:9TdIDAc8V9SeR0ffSn63Jj4=:d8b2de0b733c81b949993dce229abb4c'
|
||||
this.badLabel = 'xxxxxx:c7a39310056b694c:jQf+Uh5Den3JREtvc82GW5Q='
|
||||
this.badKey = '2015.1:d7a39310056b694c:jQf+Uh5Den3JREtvc82GW5Q='
|
||||
this.badCipherText = '2015.1:c7a39310056b694c:xQf+Uh5Den3JREtvc82GW5Q='
|
||||
this.settings = {
|
||||
cipherLabel: '2019.1',
|
||||
cipherLabel: '2023.1-v3',
|
||||
cipherPasswords: {
|
||||
'2019.1-v2': '33333333333333333333333333333333333333',
|
||||
'2023.1-v3': '44444444444444444444444444444444444444',
|
||||
},
|
||||
}
|
||||
|
@ -130,7 +127,7 @@ describe('AccessTokenEncryptor', function () {
|
|||
this.encryptor.encryptJson(this.testObject, (err, encrypted) => {
|
||||
expect(err).to.be.null
|
||||
encrypted.should.match(
|
||||
/^2019.1:[0-9a-f]{32}:[a-zA-Z0-9=+/]+:[0-9a-f]{32}$/
|
||||
/^2023.1-v3:[0-9a-f]{32}:[a-zA-Z0-9=+/]+:[0-9a-f]{32}$/
|
||||
)
|
||||
done()
|
||||
})
|
||||
|
@ -146,34 +143,6 @@ describe('AccessTokenEncryptor', function () {
|
|||
})
|
||||
})
|
||||
})
|
||||
|
||||
describe('v3', function () {
|
||||
beforeEach(function () {
|
||||
this.settings.cipherLabel = '2023.1-v3'
|
||||
this.encryptor = new this.AccessTokenEncryptor(this.settings)
|
||||
})
|
||||
|
||||
it('should encrypt the object', function (done) {
|
||||
this.encryptor.encryptJson(this.testObject, (err, encrypted) => {
|
||||
expect(err).to.be.null
|
||||
encrypted.should.match(
|
||||
/^2023.1-v3:[0-9a-f]{32}:[a-zA-Z0-9=+/]+:[0-9a-f]{32}$/
|
||||
)
|
||||
done()
|
||||
})
|
||||
})
|
||||
|
||||
it('should encrypt the object differently the next time', function (done) {
|
||||
this.encryptor.encryptJson(this.testObject, (err, encrypted1) => {
|
||||
expect(err).to.be.null
|
||||
this.encryptor.encryptJson(this.testObject, (err, encrypted2) => {
|
||||
expect(err).to.be.null
|
||||
encrypted1.should.not.equal(encrypted2)
|
||||
done()
|
||||
})
|
||||
})
|
||||
})
|
||||
})
|
||||
})
|
||||
|
||||
describe('decrypt', function () {
|
||||
|
@ -210,18 +179,13 @@ describe('AccessTokenEncryptor', function () {
|
|||
})
|
||||
})
|
||||
|
||||
it('should decrypt an 2019 string to get the same object', function (done) {
|
||||
it('should not be able to decrypt a 2019 string', function (done) {
|
||||
this.encryptor.decryptToJson(this.encrypted2019, (err, decrypted) => {
|
||||
expect(err).to.be.null
|
||||
expect(decrypted).to.deep.equal(this.testObject)
|
||||
done()
|
||||
})
|
||||
})
|
||||
|
||||
it('should decrypt an 2019 string with version to get the same object', function (done) {
|
||||
this.encryptor.decryptToJson(this.encrypted2019v2, (err, decrypted) => {
|
||||
expect(err).to.be.null
|
||||
expect(decrypted).to.deep.equal(this.testObject)
|
||||
expect(err).to.exist
|
||||
expect(err.message).to.equal(
|
||||
'unknown access-token-encryptor label 2019.1'
|
||||
)
|
||||
expect(decrypted).to.not.exist
|
||||
done()
|
||||
})
|
||||
})
|
||||
|
|
Loading…
Reference in a new issue